In recent times, sophisticated payment, point-of-sale, and transaction systems have been integrated into various retail machines that historically did not include relatively advanced electronics. For example, newer fuel dispensers often include graphical displays, audiovisual devices, card readers, keypads or PIN pads, and other input devices. An example of such a fuel dispenser is illustrated in U.S. Pat. No. 7,289,877, which is hereby incorporated in its entirety by reference for all purposes.
Using such a retail terminal, a customer is able to pay for goods or services offered by a retailer by inserting a debit or credit card into the terminal's card reader. The customer may then be required to enter a personal identification number (“PIN”) using a PIN pad in order to complete the transaction. The system may also request that the customer provide other information using the PIN pad, which may include sensitive information.
For example, FIG. 1 illustrates a fueling site 100 adapted to provide fuel to a customer and to accept payment for the dispensed fuel. Fueling site 100 comprises a fuel dispenser 102 and a site controller 104. Typically, one or more additional fuel dispensers may also be located at fueling site 100. Fuel dispenser 102 is configured to receive financial information from a customer using a credit or debit card in order to provide payment for the fuel dispensed to the customer's vehicle.
Fuel dispenser 102 typically comprises a user interface 106, a processing device 108, and memory 110. Processing device 108 is operatively connected to user interface 106 and memory 110. User interface 106 includes a display 112, a card reader 114, and a PIN pad 116, each of which is operatively connected to processing device 108. Typically, PIN pad 116 is a physical device comprising a plurality of mechanical buttons or keys.
As should be understood by those skilled in the art, fuel dispenser 102 also includes various components configured to deliver fuel to a vehicle. For instance, fuel dispenser 102 additionally comprises a piping network 118 in fluid communication with one or more underground storage tanks, a meter 120, a pulser 122, a valve 123, a hose 124, and a nozzle 126. Processing device 108 is operatively connected to one or more of these components in order to control their operation and manage the delivery of fuel. Processing device 108 is also operatively connected to site controller 104, which is in communication with a host system 128 via a wide area network (“WAN”) 130 (such as the Internet). Site controller 104 is typically situated within a convenience store or central building located within fueling site 100.
Processing device 108 controls the operation of display 112, card reader 114, and PIN pad 116. Display 112 provides visual instructions to the customer as to the manner by which the fueling process should be initiated. For instance, the instructions may direct the customer to swipe a credit or debit card using card reader 114 prior to dispensing fuel. Once this occurs, display 112 may instruct the customer to enter the PIN corresponding to the swiped card via PIN pad 116 (depending on the type of card provided). Display 112 may also be configured to present additional content provided by the convenience store owner or third parties, such as advertisements, during the fueling process.
After the customer enters the PIN, processing device 108 transmits data representative of the payment information provided by the customer including the PIN to site controller 104. Site controller 104 communicates with host system 128 in order to authorize the transaction based on the information provided by the customer. Host system 128 is associated with the entity responsible for the customer's financial account corresponding to the swiped card and either authorizes or denies the transaction. Site controller 104 then informs processing device 108 whether host system 128 authorized the transaction based on the information submitted.
If the transaction has been authorized, processing device 108 allows use of fuel dispenser 102 by the customer. When the fueling process is complete, processing device 108 transmits data to site controller 104 representative of the completed transaction, including the total volume of fuel dispensed and/or the total price of the dispensed fuel. Site controller 104 communicates with host system 128 in order to finalize the transaction, which may include debiting the customer's account for the dispensed fuel, as should be well-known to those in the relevant art.
Physical PIN pads, such as PIN pad 116, are mechanical devices and are therefore susceptible to wear and deterioration. Physical PIN pads also occupy space in the retail terminal and are associated with manufacturing, installation, and maintenance costs, which are substantial in certain instances.
Some payment systems have replaced the conventional display with a touch screen, thereby allowing the customer to provide information to the system via the touch screen. For instance, a payment system may present a “virtual” PIN pad via the touch screen as an alternative to a mechanical PIN pad.
There is concern that virtual PIN pads could be susceptible to fraud. For instance, an unauthorized device may be attached to the touch screen or placed between the touch screen and the processing device in an attempt to intercept a PIN entered by a customer using the touch screen. If the relationships between the virtual keys/numbers and their respective locations on the touch screen are known or can be determined, such a device may attempt to convert the touch screen signals back into the customer's PIN. Or, like a mechanical PIN pad, a perpetrator could observe the customer's finger movement and ascertain the PIN itself.
Moreover, because such touch screens are usually configured to display advertisements in addition to the virtual PIN pad, content intended to deceive a customer into entering a PIN may be provided to the user interface under the guise of being an advertisement. In such a scenario, the touch screen displays the fake advertisement, which may include a false virtual PIN pad, and instructs the customer to enter the PIN. Typically, a touch screen itself is not anti-tampering. In addition, touch screen data is not encrypted if the touch screen is used for general advertisement. For these reasons, touch screen data is usually transmitted “in the clear.” Either the uploaded content or an unauthorized device could intercept and transmit the data output by the touch screen to the perpetrator.
Additionally, devices that accept financial information from a customer, such as PINs, must adhere to certain standards to ensure the provided information is secure. For instance, the Payment Card Industry Security Standards Council (“PCI”) is an entity that establishes security standards for the protection of sensitive cardholder data. PCI has established the Payment Application Data Security Standard (“PA-DSS”) to provide standards for software used in payment systems. Because virtual PIN pads handle sensitive cardholder data, such as PINs, they are subject to the PA-DSS. These devices may also be subject to other standards, such as the EMV standard, originally developed by Europay, MasterCard, and Visa, or those established by other organizations or associations, such as the European Payment Council (“EPC”). Furthermore, because the use of touch screens typically involves the display of both secure and unsecure content by a single device, they may be required to adhere to stricter security requirements than a mechanical PIN pad.